Hacking Loopholes Remain, Consumers Deserve Better

After an “Arab spring”, it’s been a summer of security breaches. But, while the press, politicians and police chiefs turn themselves inside-out over voicemail “hacking”, each is overlooking the root cause – lax data security rules.

Access gained to victims’ mobile voicemail by tabloid reporters barely involved enough technical skill to merit the term “hacking”. It required only awareness of a glaring security exploit left open for years by many mobile networks – entering a carrier-wide default voicemail PIN whilst on an unanswered call to a victim.

But most new mobile customers aren’t told about the risk by salespeople, leaving warnings confined to the pages of manuals nobody reads. It’s like buying a house without a front door. And it’s a trick likely perpetrated not just by tabloid investigators but also by countless suspicious lovers around the world.

Ofcom tells paidContent it does not have any jurisdiction over voicemail security since it regulates mobile spectrum only. The Information Commissioner’s Office, which Ofcom suggested might be responsible, tells paidContent voicemail security does not fall under its auspice either, since there had been no breach of the Data Protection Act, which it administers.

That leaves the issue a matter for operators and prosecutors. Despite issuing general consumer guidance, the mobile industry has no unified position on how carriers should deploy security, its GSM Association umbrella tells paidContent.

Convictions under the blunt instrument of the Regulation of Investigatory Powers Act, for telecommunications “interception”, have happened and will happen in the “phone hacking” scandal only because no authority has ever required the mobile networks to close their security loophole.

Thank heavens some of them belatedly have, under their own volition, when the inevitable consequences came to light. In the UK, Vodafone (NYSE: VOD) and O2 tell paidContent they stopped issuing default PINs in 2006, the year the first phone hacking allegations surfaced. Orange says it never issued default PINs. T-Mobile says it began phasing them out in 2002. We’re still awaiting comment from T-Mobile and Three.

Security of this sort should be baked in to online systems as a requirement. Had the mobile industry been required to guarantee customers’ security, phone “hacking” may never have been possible – and police and public inquiries at great expense would never been necessary. The whole sorry episode makes clear that the businesses to which consumers entrust their private lives can’t be relied upon to act responsibly – but the state’s regulators have failed to require them to do so.

It is in this light we must now regard the growing list of hacks which are exposing our private data. From Gawker to PlayStation, Fox.com to Codemasters.com, hackers are finding and republishing information like website members’ passwords and credit card numbers – and revelling in the ease. For every well-intentioned white hat hacker drawing attention to these security flaws, there may yet be a nefarious breacher who wants to wantonly abuse consumers’ data. Consumers should be worried, and should call for action.

The UK’s Data Protection Act already requires that companies which hold data about individuals employ adequate security measures in place to protect that data. Yet, despite ongoing successful hacks, no such sites are getting prosecuted for operating security the perpetrators themselves often mockingly call woeful.

Minimum security requirements should be established urgently. It is now time for authorities to heed their failure of voicemail security regulation and act stronger toward what is becoming a web hacking epidemic